-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dws: only allow owner to create persistent #215
dws: only allow owner to create persistent #215
Conversation
Who is meant by the "instance owner" here? I'm not sure I follow how this is intended to work. |
It's the userid that is running the flux instance. For the system instance it's the |
In theory I could also restrict it to |
@garlick do you have any tips for how I could submit a job as another user in the testsuite to make sure it's rejected? |
35febad
to
e157674
Compare
It's unfortunately a bit complicated to fake that, but have a look at https://github.com/flux-framework/flux-core/blob/master/t/t2404-job-exec-multiuser.t |
Note that if you are using test execution then it is a lot less complicated. Just take the submit_as_alternate_user()
{
FAKE_USERID=42
flux run --dry-run "$@" | \
flux python ${SHARNESS_TEST_SRCDIR}/scripts/sign-as.py $FAKE_USERID \
>job.signed
FLUX_HANDLE_USERID=$FAKE_USERID \
flux job submit --flags=signed job.signed
} See t2400-job-exec-test.t for example of usage. This requires a flux-core compiled with flux-security, so you'll want to use a prereq as in that test as well. |
e157674
to
06ac9a2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO this implementation tracks with our recent discussions in the Fluxion meetings. Approving.
src/modules/coral2_dws.py
Outdated
@@ -284,6 +285,12 @@ def create_cb(handle, _t, msg, api_instance): | |||
raise TypeError( | |||
f"Malformed dw_directives, not list or string: {dw_directives!r}" | |||
) | |||
for directive in dw_directives: | |||
if not unrestricted_persistent and "create_persistent" in directive: | |||
if userid != os.getuid(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is running at the system instance level you could call getattr on security.owner. But up to you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point! Probably more robust too. I force-pushed to make it do that instead. Setting MWP.
06ac9a2
to
8bb0c45
Compare
Problem: until futher work is done to support various usage policies for persistent file systems, it is sometimes desirable to restrict their creation to the instance owner. Reject jobs with `create_persistent` strings unless the job was submitted by the instance owner. Add a flag to disable the check.
Problem: to test the UID enforcement of the create_persistent restrictions, it would be helpful to submit a job as another user. Copy over the sign-as.py script from flux-core.
Problem: there are no tests than non-owners' create_persistent jobs are rejected. Add a test.
8bb0c45
to
95b2143
Compare
Problem: until futher work is done to support various usage policies for persistent file systems, it is sometimes desirable to restrict their creation to the instance owner.
Reject jobs with
create_persistent
strings unless the job was submitted by the instance owner.Add a flag to disable the check.
Fixes #205.